Use a hashed password for ADMIN_PASSWORD

A generate_password_hash manage.py command is provided Fixes #233
2025-05-05 12:41:49 +02:00 · 2017-06-23 18:01:41 +02:00 · 2017-06-23 18:01:41 +02:00 · 999df67a96
commit 999df67a96
parent db29648956
4 changed files with 25 additions and 9 deletions
--- a/budget/manage.py
+++ b/budget/manage.py
@ -1,15 +1,26 @@
 #!/usr/bin/env python

-from flask_script import Manager
+from flask_script import Manager, Command
 from flask_migrate import Migrate, MigrateCommand
+from werkzeug.security import generate_password_hash

 from run import app
 from models import db
+from getpass import getpass
+
+
+class GeneratePasswordHash(Command):
+    "Get password from user and hash it without printing it in clear text"
+
+    def run(self):
+        password = getpass(prompt='Password: ')
+        print(generate_password_hash(password))

 migrate = Migrate(app, db)

 manager = Manager(app)
 manager.add_command('db', MigrateCommand)
+manager.add_command('generate_password_hash', GeneratePasswordHash)


 if __name__ == '__main__':
--- a/budget/tests/tests.py
+++ b/budget/tests/tests.py
@ -10,6 +10,7 @@ import json
 from collections import defaultdict
 import six

+from werkzeug.security import generate_password_hash
 from flask import session

 # Unset configuration file env var if previously set
@ -376,7 +377,7 @@ class BudgetTestCase(TestCase):
            self.assertNotIn('raclette', session)

    def test_admin_authentication(self):
-        run.app.config['ADMIN_PASSWORD'] = "pass"
+        run.app.config['ADMIN_PASSWORD'] = generate_password_hash("pass")

        # test the redirection to the authentication page when trying to access admin endpoints
        resp = self.app.get("/create")
--- a/budget/web.py
+++ b/budget/web.py
@ -13,6 +13,8 @@ from flask import Blueprint, current_app, flash, g, redirect, \
    render_template, request, session, url_for, send_file
 from flask_mail import Mail, Message
 from flask_babel import get_locale, gettext as _
+from werkzeug.security import generate_password_hash, \
+     check_password_hash
 from smtplib import SMTPRecipientsRefused
 import werkzeug
 from sqlalchemy import orm
@ -35,10 +37,10 @@ def requires_admin(f):
    """
    @wraps(f)
    def admin_auth(*args, **kws):
-        admin_password = session.get('admin_password', '')
-        if not admin_password == current_app.config['ADMIN_PASSWORD']:
-            raise Redirect303(url_for('.admin', goto=request.path))
-        return f(*args, **kws)
+        is_admin = session.get('is_admin')
+        if is_admin or not current_app.config['ADMIN_PASSWORD']:
+            return f(*args, **kws)
+        raise Redirect303(url_for('.admin', goto=request.path))
    return admin_auth


@ -87,8 +89,8 @@ def admin():
    goto = request.args.get('goto', url_for('.home'))
    if request.method == "POST":
        if form.validate():
-            if form.admin_password.data == current_app.config['ADMIN_PASSWORD']:
-                session['admin_password'] = form.admin_password.data
+            if check_password_hash(current_app.config['ADMIN_PASSWORD'], form.admin_password.data):
+                session['is_admin'] = True
                session.update()
                return redirect(goto)
            else:
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -85,7 +85,9 @@ properly.
 +----------------------------+---------------------------+-----------------------------------------------------------------------------+
 | ACTIVATE_DEMO_PROJECT      |  ``True``                 | If set to `True`, a demo project will be available on the frontpage.        |
 +----------------------------+---------------------------+-----------------------------------------------------------------------------+
-| ADMIN_PASSWORD             |  ``""``                   | If not empty, the specified password must be entered to create new projects |
+|                            |  ``""``                   | If not empty, the specified password must be entered to create new projects.|
+| ADMIN_PASSWORD             |                           | It needs to be hashed with the following command :                          |
+|                            |                           |     budget/manage.py generate_password_hash                                 |
 +----------------------------+---------------------------+-----------------------------------------------------------------------------+

 .. _`the SQLAlechemy documentation`: http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls